FortiGate

Owned by Omry Koschitzky
Last updated: Jun 26, 2022 by Noga Aviram (Unlicensed)
2 min read

Background

The FortiGate analysis App automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze network and firewall generated data. Use a predefined set of dashboards and widgets to  visualize and address the IP's distribution, traffic behavior, interfaces utilization and possible viruses within the network. This logs analysis App helps measure, troubleshoot, and optimize your network integrity, stability and quality with the several visualization and investigation dashboards.

Steps:

  • The FortiGate logging application is based on the logging from the FortiGate console log.

    For enabling the application on the XpoLog software, please do the follows:
  • Create a TCP\UDP listener in your XpoLog environment.
  • Enter to your FortiGate console and direct it to sent the logs as syslog to the relevant listener which was configured in the previous section.
    When adding/editing the FortiGate log to XpoLog, it is mandatory to apply the correct log types:
  • syslog, firewall, fortigate
  • Once the required information is set, edit the log pattern, this step is crucial to the accuracy and deployment of the FortiGate App. Use the following patterns for each of the logs:
    XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Message_Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{properties:Message,keysSep==;propSep=space;,date#_#ftype=date#_#name=Date;time#_#ftype=time#_#name=Time;devname#_#ftype=devname#_#name=DevName;devid#_#ftype=devid#_#name=DevID;logid#_#ftype=logid;type#_#ftype=type#_#name=Type;subtype#_#ftype=subtype#_#name=Subtype;eventtype#_#ftype=eventtype#_#name=Event Type;dtype#_#ftype=dtype#_#name=dtype;level#_#ftype=level#_#name=Level;vd#_#ftype=domain#_#name=Domain;logtime#_#ftype=logtime#_#columnType=timestamp;logdesc#_#ftype=logdesc;user#_#ftype=username#_#name=Username;unauthuser#_#ftype=unauthusername#_#name=UnAuth Username;unauthusersource#_#ftype=usernamesource#_#name=UnAuth Username Source;method#_#ftype=method#_#name=Method;status#_#ftype=status#_#name=Status;reason#_#ftype=reason#_#name=Reason;profile#_#ftype=profile#_#name=Profile;srcip#_#ftype=sourceip#_#name=SRC-IP;srcname#_#ftype=sourcename#_#name=SRC-Name;srcport#_#ftype=sourceport#_#name=SRC-Port;srcintf#_#ftype=srcintf#_#name=Srcintf;srcintfrole#_#ftype=srcintfrole#_#name=Srcintfrole;dstip#_#ftype=targetip#_#name=DST-IP;dstname#_#ftype=targetname#_#name=DST-Name;dstport#_#ftype=targetport#_#name=DST-Port;dstintf#_#ftype=dstintf#_#name=Dstintf;dstintfrole#_#ftype=dstintfrole#_#name=Dstintfrole;poluuid#_#ftype=poluuid#_#name=Poluuid;sessionid#_#ftype=sessionid#_#name=Sessionid;proto#_#ftype=proto#_#name=Proto;direction#_#ftype=direction#_#name=Direction;url#_#ftype=requrl#_#name=URL;agent#_#ftype=useragent#_#name=Agent;action#_#ftype=eventName#_#name=Action;hostname#_#ftype=hostname#_#name=Hostname;policyid#_#ftype=policyid#_#name=PolicyID;policytype#_#ftype=policytype#_#name=Policytype;service#_#ftype=service#_#name=service;attack#_#ftype=attack#_#name=Attack;filename#_#ftype=filename#_#name=Filename;virus#_#ftype=virus#_#name=Virus;appid#_#ftype=appid#_#name=AppId;dstcountry#_#ftype=dstcountry#_#name=DstCountry;srccountry#_#ftype=srccountry#_#name=SrcCountry;app#_#ftype=app#_#name=App;duration#_#ftype=duration#_#name=Duration;sentbyte#_#ftype=bytessent#_#name=SentByte;rcvdbyte#_#ftype=bytesreceived#_#name=RcvdByte;sentpkt#_#ftype=sentpkt#_#name=Sentpkt;rcvdpkt#_#ftype=rcvdpkt#_#name=Rcvdpkt;countapp#_#ftype=countapp#_#name=Countapp;osname#_#ftype=osname#_#name=OSname;osversion#_#ftype=osversion#_#name=OSversion;mastersrcmac#_#ftype=mastersrcmac#_#name=Mastersrcmac;srcmac#_#ftype=srcmac#_#name=Srcmac;masterdstmac#_#ftype=masterdstmac#_#name=Masterdstmac;dstmac#_#ftype=dstmac#_#name=Dstmac;srcserver#_#ftype=srcserver#_#name=Src Server;dstserver#_#ftype=dstserver#_#name=Dst Server;appcat#_#ftype=appcat#_#name=Appcat;crscore#_#ftype=crscore#_#name=CRscore;craction#_#ftype=craction#_#name=CRaction;crlevel#_#ftype=crlevel#_#name=CRlevel;cpu#_#ftype=cpu#_#name=CPU;mem#_#ftype=mem#_#name=MEM;totalsession#_#ftype=totalsession#_#name=Totalsession;disk#_#ftype=disk#_#name=Disk;bandwidth#_#ftype=bandwidth#_#name=Bandwidth;setuprate#_#ftype=setuprate#_#name=Setuprate;disklograte#_#ftype=disklograte#_#name=Disklograte;fazlograte#_#ftype=fazlograte#_#name=Fazlograte;msg#_#ftype=message#_#name=MSG;apprisk#_#ftype=apprisk#_#name=Apprisk;applist#_#ftype=applist#_#name=Applist;scertcname#_#ftype=scertcname#_#name=Scertcname;scertissuer#_#ftype=scertissuer#_#name=Scertissuer;tunneltype#_#ftype=tunneltype#_#name=Tunnel Type;tunnelid#_#type=tunnelid#_#name=TunnelID;remip#_#ftype=remip#_#name=Rem IP;tunnelip#_#ftype=tunnelip#_#name=Tunnel IP;group#_#ftype=usergroup#_#name=Group;dst_host#_#ftype=dsthost#_#name=dsthost;eventtime#_#ftype=eventtime#_#name=Event Time;devtype#_#ftype=devicetype#_#name=Device Type;transip#_#ftype=transip#_#name=Trans IP;transport#_#ftype=transport#_#name=Trans Port;trandisp#_#ftype=trandisp#_#name=Trand ISP;incidentserialno#_#ftype=incidentserial#_#name=Incident Serial Number;utmaction#_#ftype=utmaction#_#name=UTM Action;interface#_#ftype=interface#_#name=Interface;dhcp_msg#_#ftype=dhcpmsg#_#name=DHCP MSG;lease#_#ftype=lease#_#name=Lease;locip#_#ftype=locip#_#name=LocalIP;remport#_#ftype=remport#_#name=Remote Port;locport#_#ftype=locport#_#name=Local Port;outintf#_#ftype=outintf#_#name=Out Interface;cookies#_#ftype=cookies#_#name=Cookies;xauthuser#_#ftype=xauthuser#_#name=XAuth User;xauthgroup#_#ftype=xauthgroup#_#name=XAuth Group;assignip#_#ftype=assignip#_#name=Assign IP;vpntunnel#_#ftype=vpntunnel#_#name=VPN Tunnel;nextstat#_#ftype=nextstat#_#name=Next Stat;fcnl#_#ftype=fcnl#_#name=FCNL;fdni#_#ftype=fdni#_#name=FDNI;fsci#_#ftype=fsci#_#name=FSCI;fcni#_#ftype=fcni#_#name=FCNI;auditid#_#ftype=auditid#_#name=Audit ID;audittime#_#ftype=audittyme#_#name=Audit Type;auditscore#_#ftype=auditscore#_#name=Audit Score;criticalcount#_#ftype=criticalcount#_#name=Critical Count;highcount#_#ftype=highcount#_#name=High Count;mediumcount#_#ftype=mmediumcount#_#name=Medium Count;lowcount#_#ftype=lowcount#_#name= Low Count;passedcount#_#ftype=passedcount#_#name=Passed Count;init#_#ftype=init#_#name=Init;mode#_#ftype=mode#_#name=Mode;dir#_#ftype=dir#_#name=Dir;stage#_#ftype=stage#_#name=Stage;role#_#ftype=role#_#name=Role;result#_#ftype=result#_#name=Result;total#_#ftype=total#_#name=Total;used#_#ftype=used#_#name=Used;license_limit#_#ftype=licenselimit#_#name=License Limit;used_for_type#_#ftype=usedfortype#_#name=Used For Type;connection_type#_#ftype=connectiontype#_#name=Connection Type;count#_#ftype=count#_#name=Count;name#_#ftype=name#_#name=Name;fctuid#_#ftype=fctuid#_#name=fctUID;mac#_#ftype=mac#_#name=MAC;authserver#_#ftype=authserver#_#name=Auth Server;phase2_name#_#ftype=phase2name#_#name=Phase2 Name;ui#_#ftype=ui#_#name=UI;esptransform#_#ftype=esptransform#_#name=ESP Transform;espauth#_#ftype=espauth#_#name=ESP Auth;sn#_#ftype=sn#_#name=SN;error_num#_#ftype=errornum#_#name=Error Num;in_spi#_#ftype=inspi#_#name=In SPI;out_spi#_#ftype=outspi#_#name=Out SPI;spi#_#ftype=spi#_#name=SPI;seq#_#ftype=seq#_#name=SEQ;peer_notif#_#ftype=peernotif#_#name=Peer Notif;state#_#ftype=state#_#name=State;exch#_#ftype=exch#_#name=Exch;version#_#ftype=version#_#name=Version;cfgtid#_#ftype=cfgtid#_#name=Cfgtid;cfgpath#_#ftype=cfgpath#_#name=Cfg path;cfgobj#_#ftype=cfgobj#_#name=Cfgobj;cfgattr#_#ftype=cfgattr#_#name=Cfgattr;shapingpolicyid#_#ftype=shapingpolicyid#_#name=Shaping PolicyID;shapersentname#_#ftype=shapersentname#_#name=Shaper Sent Name;shaperdropsentbyte#_#ftype=shaperdropsentbyte#_#name=Shaper Drop Sent Byte;shaperrcvdname#_#ftype=shaperrcvdname#_#name=Shaper Drop Rcvd Name;shaperdroprcvdbyte#_#ftype=shaperdroprcvdbyte#_#name=Shaper Drop Rcvd Byte;dstdevtype#_#ftype=dstdevtype#_#name=Dst Device Type;dstosname#_#ftype=dstosname#_#name=Dst OS Name;dstosversion#_#ftype=dstosversion#_#name=Dst OS Version;dstunauthuser#_#ftype=dstunauthuser#_#name=Dst UnAuth User;dstunauthusersource#_#ftype=dstunauthusersource#_#name=Dst UnAuth User Source}